Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
25 juillet 2011 1 25 /07 /juillet /2011 23:56

That trick was really about to get me...

 

msg_Facebook_250711_annon.jpg

 

The bot would realy make you believe it is your Facebook contact talking to you, but it is not...

I sent the URL to VirusTotal, here are the results: nothing to worry about...

URL Analysis tool Result
Avira Clean site
BitDefender Clean site
Dr.Web Clean site
G-Data Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Error
Phishtank Clean site
TrendMicro Unrated site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Normalized URL: http://213.231.133.56/830578583
URL MD5: 57e229513f552a0ba3775213d1d6b8c6

https://www.virustotal.com/url-scan/report.html?id=57e229513f552a0ba3775213d1d6b8c6-1311622558#

 

Even the "downloaded file" analysis does not show any alert:

Antivirus Version Last update Result
AhnLab-V3 2011.07.26.00 2011.07.25 -
AntiVir 7.11.12.103 2011.07.25 -
Antiy-AVL 2.0.3.7 2011.07.25 -
Avast 4.8.1351.0 2011.07.25 -
Avast5 5.0.677.0 2011.07.25 -
AVG 10.0.0.1190 2011.07.25 -
BitDefender 7.2 2011.07.25 -
CAT-QuickHeal 11.00 2011.07.25 -
ClamAV 0.97.0.0 2011.07.25 -
Commtouch 5.3.2.6 2011.07.25 -
Comodo 9510 2011.07.25 -
DrWeb 5.0.2.03300 2011.07.25 -
Emsisoft 5.1.0.8 2011.07.25 -
eSafe 7.0.17.0 2011.07.25 -
eTrust-Vet 36.1.8464 2011.07.25 -
F-Prot 4.6.2.117 2011.07.25 -
Fortinet 4.2.257.0 2011.07.25 -
GData 22 2011.07.25 -
Ikarus T3.1.1.104.0 2011.07.25 -
Jiangmin 13.0.900 2011.07.25 -
K7AntiVirus 9.108.4945 2011.07.25 -
Kaspersky 9.0.0.837 2011.07.25 -
McAfee 5.400.0.1158 2011.07.25 -
McAfee-GW-Edition 2010.1D 2011.07.25 -
Microsoft 1.7104 2011.07.25 -
NOD32 6324 2011.07.25 -
Norman 6.07.10 2011.07.25 -
nProtect 2011-07-25.02 2011.07.25 -
Panda 10.0.3.5 2011.07.25 -
PCTools 8.0.0.5 2011.07.25 -
Prevx 3.0 2011.07.25 -
Rising 23.68.00.05 2011.07.25 -
Sophos 4.67.0 2011.07.25 -
SUPERAntiSpyware 4.40.0.1006 2011.07.25 -
Symantec 20111.1.0.186 2011.07.25 -
TheHacker 6.7.0.1.262 2011.07.24 -
TrendMicro 9.200.0.1012 2011.07.25 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.25 -
VBA32 3.12.16.4 2011.07.25 -
VIPRE 9964 2011.07.25 -
ViRobot 2011.7.25.4587 2011.07.25 -
VirusBuster 14.0.138.0 2011.07.25 -
MD5: a6e4771c5a15705054b529d6d9a74c5b
SHA1: 8cfbec24fb7623f888b6d6f156d9a8284299d319
SHA256: c91712143eefa0f98daec77036d6a22a2c1633556bfdbe895392ed8b559ad00a
File size: 61988 bytes
Scan date: 2011-07-25 21:45:21 (UTC)

https://www.virustotal.com/file-scan/report.html?id=c91712143eefa0f98daec77036d6a22a2c1633556bfdbe895392ed8b559ad00a-1311630321

 

And the reason is quite simple... there is neither automatic file download, nor drive-by-download. Once again, the user will be lured to download himself the "latest Flash player version"...

site_youtube_flash_250711_annon.jpg

 

Pretty well done, uh? But this is not youtube...

What I find pretty outstanding, is the fact that the "fake youtube" website did grab the Facebook victims's username, and furthermore, fake comments from the victim's contacts are also being displayed below the (fake) video!

 

Please note that the URL is a single IP address, no domain name! According to Netcraft, the server is being hosted in Bulgaria: http://toolbar.netcraft.com/site_report?url=http://213.231.133.56 

So, in order to view the video, the user is supposed to click on the link. I serves a Flash-Player.exe file, hosted on the same HTTP server.

And this time, the AV scans do tell us something interesting:

Antivirus Version Last update Result
AhnLab-V3 2011.07.26.00 2011.07.25 Virus/Win32.AntiAV
AntiVir 7.11.12.103 2011.07.25 TR/AntiAV.oao
Antiy-AVL 2.0.3.7 2011.07.25 -
Avast 4.8.1351.0 2011.07.25 -
Avast5 5.0.677.0 2011.07.25 -
AVG 10.0.0.1190 2011.07.25 -
BitDefender 7.2 2011.07.25 -
CAT-QuickHeal 11.00 2011.07.25 -
ClamAV 0.97.0.0 2011.07.25 -
Commtouch 5.3.2.6 2011.07.25 -
Comodo 9510 2011.07.25 Heur.Suspicious
DrWeb 5.0.2.03300 2011.07.25 Trojan.Siggen2.58184
Emsisoft 5.1.0.8 2011.07.25 Trojan.Win32.AntiAV!IK
eSafe 7.0.17.0 2011.07.25 -
eTrust-Vet 36.1.8464 2011.07.25 -
F-Prot 4.6.2.117 2011.07.25 -
Fortinet 4.2.257.0 2011.07.25 -
GData 22 2011.07.25 -
Ikarus T3.1.1.104.0 2011.07.25 Trojan.Win32.AntiAV
Jiangmin 13.0.900 2011.07.25 -
K7AntiVirus 9.108.4945 2011.07.25 -
Kaspersky 9.0.0.837 2011.07.25 Trojan.Win32.AntiAV.oao
McAfee 5.400.0.1158 2011.07.25 Artemis!7A3BC4D258CB
McAfee-GW-Edition 2010.1D 2011.07.25 Artemis!7A3BC4D258CB
Microsoft 1.7104 2011.07.25 Backdoor:Win32/Delf.KV
NOD32 6324 2011.07.25 Win32/Delf.QCZ
Norman 6.07.10 2011.07.25 -
nProtect 2011-07-25.02 2011.07.25 -
Panda 10.0.3.5 2011.07.25 -
PCTools 8.0.0.5 2011.07.25 Net-Worm.SillyFDC!rem
Prevx 3.0 2011.07.25 -
Rising 23.68.00.05 2011.07.25 -
Sophos 4.67.0 2011.07.25 Mal/Generic-L
SUPERAntiSpyware 4.40.0.1006 2011.07.25 -
Symantec 20111.1.0.186 2011.07.25 W32.SillyFDC
TheHacker 6.7.0.1.262 2011.07.24 -
TrendMicro 9.200.0.1012 2011.07.25 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.25 -
VBA32 3.12.16.4 2011.07.25 -
VIPRE 9964 2011.07.25 FraudTool.Win32.SecurityTool (v)
ViRobot 2011.7.25.4587 2011.07.25 -
VirusBuster 14.0.138.0 2011.07.25 -
MD5: 7a3bc4d258cbe30dfb0649ee863fae25
SHA1: 9735e42aed649b87bca6455ddccf92cc563cb17b
SHA256: 7a9578ad75913564178f1e5c5be2fade4abb20835ff9ec82eb0716ce7a151c7d
File size: 1185280 bytes
Scan date: 2011-07-25 21:39:44 (UTC)

https://www.virustotal.com/file-scan/report.html?id=7a9578ad75913564178f1e5c5be2fade4abb20835ff9ec82eb0716ce7a151c7d-1311629984#

 

Unfortunately, the URL itself does not trigger so many security systems:

- Internet Explorer (with Trend Micro Browser Guard): no alert

- Firefox 5: no alert

- Chrome 12.0.742: no alert 

- Safari 5: no alert.

- Webreputation: "domain not reachable"... 

In fact, most of these results are summarized within the VT's "URL analysis tool" report.

 

While investigating the threat, I noticed they apparently use a stealth system: you can't request access to the domain several times, even using different browsers, of you're gonna be blocked.

This works over HTTP, while the ping (ICMP) still responds.

 

 

 

 

 

Partager cet article

Repost0

commentaires